Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-22954: VMSA-2022-0011

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

CVE
#vulnerability#linux#rce#vmware#oauth#auth

Advisory ID: VMSA-2022-0011.1

CVSSv3 Range: 5.3-9.8

Issue Date: 2022-04-06

Updated On: 2022-04-13

CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.

Share this page on social media

Sign up for Security Advisories

****1. Impacted Products****

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

****2. Introduction****

Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.

****3a. Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954)****

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

To remediate CVE-2022-22954, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds for CVE-2022-22954 have been documented in the VMware Knowledge Base articles listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.

****3b. OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956)****

VMware Workspace ONE Access has two authentication bypass vulnerabilities in the OAuth2 ACS framework. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

To remediate CVE-2022-22955 and CVE-2022-22956, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds for CVE-2022-22955 and CVE-2022-22956 have been documented in the VMware Knowledge Base articles listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

These issues only impact Workspace ONE Access.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.

****3c. JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.

A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.

To remediate CVE-2022-22957 and CVE-2022-22958, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds for CVE-2022-22957 and CVE-2022-22958 have been documented in the VMware Knowledge Base articles listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.

****3d. Cross Site Request Forgery Vulnerability (CVE-2022-22959)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

A malicious actor can trick a user through a cross site request forgery to unintentionally validate a malicious JDBC URI.

To remediate CVE-2022-22959, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds for CVE-2022-22959 have been documented in the VMware Knowledge Base articles listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.

****3e. Local Privilege Escalation Vulnerability (CVE-2022-22960)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local access can escalate privileges to 'root’.

To remediate CVE-2022-22960, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds for CVE-2022-22960 have been documented in the VMware Knowledge Base articles listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware has confirmed that exploitation of CVE-2022-22960 has occurred in the wild.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.

****3f. Information Disclosure Vulnerability (CVE-2022-22961)****

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

A malicious actor with remote access may leak the hostname of the target system. Successful exploitation of this issue can lead to targeting victims.

To remediate CVE-2022-22961, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds for CVE-2022-22961 have been documented in the VMware Knowledge Base articles listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.

Response Matrix - Access 21.08.x:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-22954

9.8

critical

KB88099

KB88098

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-22955, CVE-2022-22956

9.8

critical

KB88099

KB88098

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-22957, CVE-2022-22958

9.1

critical

KB88099

KB88098

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-22959

8.8

important

KB88099

KB88098

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-22960

7.8

important

KB88099

KB88098

FAQ

Access

21.08.0.1, 21.08.0.0

Linux

CVE-2022-22961

5.3

moderate

KB88099

None

FAQ

Response Matrix - Access 20.10.x:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Access

20.10.0.1, 20.10.0.0

Linux

CVE-2022-22954

9.8

critical

KB88099

KB88098

FAQ

Access

20.10.0.1, 20.10.0.0

Linux

CVE-2022-22955, CVE-2022-22956

9.8

critical

KB88099

KB88098

FAQ

Access

20.10.0.1, 20.10.0.0

Linux

CVE-2022-22957, CVE-2022-22958

9.1

critical

KB88099

KB88098

FAQ

Access

20.10.0.1, 20.10.0.0

Linux

CVE-2022-22959

8.8

important

KB88099

KB88098

FAQ

Access

20.10.0.1, 20.10.0.0

Linux

CVE-2022-22960

7.8

important

KB88099

KB88098

FAQ

Access

20.10.0.1, 20.10.0.0

Linux

CVE-2022-22961

5.3

moderate

KB88099

None

FAQ

Response Matrix - Identity Manager 3.3.x:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vIDM

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22954

9.8

critical

KB88099

KB88098

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22955, CVE-2022-22956

N/A

N/A

Unaffected

N/A

N/A

vIDM

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22957, CVE-2022-22958

9.1

critical

KB88099

KB88098

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22959

8.8

important

KB88099

KB88098

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22960

7.8

important

KB88099

KB88098

FAQ

vIDM

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22961

5.3

moderate

KB88099

None

FAQ

Response Matrix - vRealize Automation (vIDM):

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

vRealize Automation [1]

8.x

Linux

CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

N/A

N/A

Unaffected

N/A

N/A

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22954

N/A

N/A

Unaffected

N/A

N/A

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22955, CVE-2022-22956

N/A

N/A

Unaffected

N/A

N/A

vRealize Automation (vIDM) [2]

7.6

Linux

CVE-2022-22957, CVE-2022-22958

9.1

critical

KB88099

KB88098

FAQ

vRealize Automation (vIDM) [2]

7.6

Linux

CVE-2022-22959

8.8

important

KB88099

KB88098

FAQ

vRealize Automation (vIDM) [2]

7.6

Linux

CVE-2022-22960

7.8

important

KB88099

KB88098

FAQ

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22961

N/A

N/A

Unaffected

N/A

N/A

[1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[2] vRealize Automation 7.6 is affected since it uses embedded vIDM.

Impacted Product Suites that Deploy Response Matrix Components:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Cloud Foundation (vIDM)

4.x

Any

CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

9.8, 9.1, 9.1, 8.8, 7.8, 5.3

critical

KB88099

KB88098

FAQ

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960

9.1, 9.1, 8.8, 7.8

critical

KB88099

KB88098

FAQ

vRealize Suite Lifecycle Manager (vIDM)

8.x

Any

CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

9.8, 9.1, 9.1, 8.8, 7.8, 5.3

critical

KB88099

KB88098

FAQ

****4. References****

****5. Change Log****

**2022-04-06: VMSA-2022-0011
**Initial security advisory.

2022-04-13: VMSA-2022-0011.1
VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.

****6. Contact****

Related news

2022's most routinely exploited vulnerabilities—history repeats

Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five

3 Flaws, 1 War Dominated Cyber-Threat Landscape in 2022

Attackers continued to favor software exploits, phishing, and stolen credentials as initial-access methods last year, as Log4j and the Russia-Ukraine cyber conflict changed the threat landscape.

VMware Workspace ONE Access Privilege Escalation

This Metasploit module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.

Mware Workspace ONE Remote Code Execution

This Metasploit module combines two vulnerabilities in order achieve remote code execution in the context of the horizon user. The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection remote code execution vulnerability specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow for remote code execution.

Patch ASAP: Critical Citrix, VMware Bugs Threaten Remote Workspaces With Takeover

Hole-y software alert, Batman: Cybercriminal faves Citrix Gateway and VMware Workspace ONE have authentication-bypass bugs that could offer up total access to attackers.

Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware

A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victim's resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said

Log4Shell Vulnerability Targeted in VMware Servers to Exfiltrate Data

CISA warns that threat actors are ramping up attacks against unpatched Log4Shell vulnerability in VMware servers.

Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

VMWare vulnerabilities are actively being exploited, CISA warns

CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors. The post VMWare vulnerabilities are actively being exploited, CISA warns appeared first on Malwarebytes Labs.

VMWare vulnerabilities are actively being exploited, CISA warns

CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors. The post VMWare vulnerabilities are actively being exploited, CISA warns appeared first on Malwarebytes Labs.

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907